Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2014-10-07 14:26:47 +0100
commit: b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (patch)
tree: 4d1529682d4c22a5a7382b1f7d71334c0434f959
parent: 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 (diff)
3 files changed, 89 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index 90e81e160..7f160f131 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
        ]
 )
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+        [
+                if test "x$withval" != "xno" ; then
+                        saved_LIBS="$LIBS"
+                        saved_LDFLAGS="$LDFLAGS"
+                        saved_CPPFLAGS="$CPPFLAGS"
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
+                                if test -d "${withval}/lib"; then
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                        fi
+                                else
+                                        if test -n "${need_dash_r}"; then
+                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                        else
+                                                LDFLAGS="-L${withval} ${LDFLAGS}"
+                                        fi
+                                fi
+                                if test -d "${withval}/include"; then
+                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                                else
+                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                                fi
+                        fi
+                        LIBS="-lwrap $LIBS"
+                        AC_MSG_CHECKING([for libwrap])
+                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                                ]], [[
+        hosts_access(0);
+                                ]])], [
+                                        AC_MSG_RESULT([yes])
+                                        AC_DEFINE([LIBWRAP], [1],
+                                                [Define if you want
+                                                TCP Wrappers support])
+                                        SSHDLIBS="$SSHDLIBS -lwrap"
+                                        TCPW_MSG="yes"
+                                ], [
+                                        AC_MSG_ERROR([*** libwrap missing])
+                                
+                        ])
+                        LIBS="$saved_LIBS"
+                fi
+        ]
+)
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -4853,6 +4909,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/sshd.8 b/sshd.8
index 01459d637..eaeac451f 100644
--- a/sshd.8
+++ b/sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index e6706a886..3a6be65ab 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,13 @@
 #include <Security/AuthSession.h>
 #endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -2061,6 +2068,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (packet_connection_is_on_socket()) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        /* Log the connection. */
        verbose("Connection from %s port %d on %s port %d",
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2014-10-07 14:26:47 +0100
commit	b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (patch)
tree	4d1529682d4c22a5a7382b1f7d71334c0434f959
parent	1c1b6fa17982eb622e2c4e8f4a279f2113f57413 (diff)

diff --git a/configure.ac b/configure.ac index 90e81e160..7f160f131 100644 --- a/configure.ac +++ b/configure.ac
@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
1404	]	1404	]
1405	)	1405	)
1406		1406
		1407	# Check whether user wants TCP wrappers support
		1408	TCPW_MSG="no"
		1409	AC_ARG_WITH([tcp-wrappers],
		1410	[ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
		1411	[
		1412	if test "x$withval" != "xno" ; then
		1413	saved_LIBS="$LIBS"
		1414	saved_LDFLAGS="$LDFLAGS"
		1415	saved_CPPFLAGS="$CPPFLAGS"
		1416	if test -n "${withval}" && \
		1417	test "x${withval}" != "xyes"; then
		1418	if test -d "${withval}/lib"; then
		1419	if test -n "${need_dash_r}"; then
		1420	LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
		1421	else
		1422	LDFLAGS="-L${withval}/lib ${LDFLAGS}"
		1423	fi
		1424	else
		1425	if test -n "${need_dash_r}"; then
		1426	LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
		1427	else
		1428	LDFLAGS="-L${withval} ${LDFLAGS}"
		1429	fi
		1430	fi
		1431	if test -d "${withval}/include"; then
		1432	CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
		1433	else
		1434	CPPFLAGS="-I${withval} ${CPPFLAGS}"
		1435	fi
		1436	fi
		1437	LIBS="-lwrap $LIBS"
		1438	AC_MSG_CHECKING([for libwrap])
		1439	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		1440	#include <sys/types.h>
		1441	#include <sys/socket.h>
		1442	#include <netinet/in.h>
		1443	#include <tcpd.h>
		1444	int deny_severity = 0, allow_severity = 0;
		1445	]], [[
		1446	hosts_access(0);
		1447	]])], [
		1448	AC_MSG_RESULT([yes])
		1449	AC_DEFINE([LIBWRAP], [1],
		1450	[Define if you want
		1451	TCP Wrappers support])
		1452	SSHDLIBS="$SSHDLIBS -lwrap"
		1453	TCPW_MSG="yes"
		1454	], [
		1455	AC_MSG_ERROR([*** libwrap missing])
		1456
		1457	])
		1458	LIBS="$saved_LIBS"
		1459	fi
		1460	]
		1461	)
		1462
1407	# Check whether user wants to use ldns	1463	# Check whether user wants to use ldns
1408	LDNS_MSG="no"	1464	LDNS_MSG="no"
1409	AC_ARG_WITH(ldns,	1465	AC_ARG_WITH(ldns,
@@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG"
4853	echo " SELinux support: $SELINUX_MSG"	4909	echo " SELinux support: $SELINUX_MSG"
4854	echo " Smartcard support: $SCARD_MSG"	4910	echo " Smartcard support: $SCARD_MSG"
4855	echo " S/KEY support: $SKEY_MSG"	4911	echo " S/KEY support: $SKEY_MSG"
		4912	echo " TCP Wrappers support: $TCPW_MSG"
4856	echo " MD5 password support: $MD5_MSG"	4913	echo " MD5 password support: $MD5_MSG"
4857	echo " libedit support: $LIBEDIT_MSG"	4914	echo " libedit support: $LIBEDIT_MSG"
4858	echo " Solaris process contract support: $SPC_MSG"	4915	echo " Solaris process contract support: $SPC_MSG"


diff --git a/sshd.8 b/sshd.8 index 01459d637..eaeac451f 100644 --- a/sshd.8 +++ b/sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
851	This file should be writable only by the user, and need not be	851	This file should be writable only by the user, and need not be
852	readable by anyone else.	852	readable by anyone else.
853	.Pp	853	.Pp
		854	.It Pa /etc/hosts.allow
		855	.It Pa /etc/hosts.deny
		856	Access controls that should be enforced by tcp-wrappers are defined here.
		857	Further details are described in
		858	.Xr hosts_access 5 .
		859	.Pp
854	.It Pa /etc/hosts.equiv	860	.It Pa /etc/hosts.equiv
855	This file is for host-based authentication (see	861	This file is for host-based authentication (see
856	.Xr ssh 1 ) .	862	.Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
954	.Xr ssh-keygen 1 ,	960	.Xr ssh-keygen 1 ,
955	.Xr ssh-keyscan 1 ,	961	.Xr ssh-keyscan 1 ,
956	.Xr chroot 2 ,	962	.Xr chroot 2 ,
		963	.Xr hosts_access 5 ,
957	.Xr login.conf 5 ,	964	.Xr login.conf 5 ,
958	.Xr moduli 5 ,	965	.Xr moduli 5 ,
959	.Xr sshd_config 5 ,	966	.Xr sshd_config 5 ,


diff --git a/sshd.c b/sshd.c index e6706a886..3a6be65ab 100644 --- a/sshd.c +++ b/sshd.c
@@ -127,6 +127,13 @@
127	#include <Security/AuthSession.h>	127	#include <Security/AuthSession.h>
128	#endif	128	#endif
129		129
		130	#ifdef LIBWRAP
		131	#include <tcpd.h>
		132	#include <syslog.h>
		133	int allow_severity;
		134	int deny_severity;
		135	#endif /* LIBWRAP */
		136
130	#ifndef O_NOCTTY	137	#ifndef O_NOCTTY
131	#define O_NOCTTY 0	138	#define O_NOCTTY 0
132	#endif	139	#endif
@@ -2061,6 +2068,24 @@ main(int ac, char **av)
2061	#ifdef SSH_AUDIT_EVENTS	2068	#ifdef SSH_AUDIT_EVENTS
2062	audit_connection_from(remote_ip, remote_port);	2069	audit_connection_from(remote_ip, remote_port);
2063	#endif	2070	#endif
		2071	#ifdef LIBWRAP
		2072	allow_severity = options.log_facility\|LOG_INFO;
		2073	deny_severity = options.log_facility\|LOG_WARNING;
		2074	/* Check whether logins are denied from this host. */
		2075	if (packet_connection_is_on_socket()) {
		2076	struct request_info req;
		2077
		2078	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2079	fromhost(&req);
		2080
		2081	if (!hosts_access(&req)) {
		2082	debug("Connection refused by tcp wrapper");
		2083	refuse(&req);
		2084	/* NOTREACHED */
		2085	fatal("libwrap refuse returns");
		2086	}
		2087	}
		2088	#endif /* LIBWRAP */
2064		2089
2065	/* Log the connection. */	2090	/* Log the connection. */
2066	verbose("Connection from %s port %d on %s port %d",	2091	verbose("Connection from %s port %d on %s port %d",